Processors, methods, systems, and instructions to support live migration of protected containers

What is claimed is: 1 . A processor comprising: a decode unit to decode an instruction, the instruction to indicate a page of a protected container memory, and to indicate a storage location outside of the protected container memory; and an execution unit coupled with the decode unit, the execution unit, in response to the instruction, to: ensure that no writable permissions for the page of the protected container memory are cached in the processor while the page of the protected container memory has a write protected state; encrypt a copy of the page of the protected container memory; store the encrypted copy of the page to the indicated storage location outside of the protected container memory, after it has been ensured that there are no writable references to the page of the protected container memory; and leave the page of the protected container memory in the write protected state, which is also to be valid and readable, after the encrypted copy of the page has been stored to the indicated storage location outside of the protected container memory. 2 . The processor of claim 1 , wherein the decode unit is to decode the instruction which is to indicate the page of the protected container memory that is already to have the write protected state. 3 . The processor of claim 1 , wherein the execution unit, in response to the instruction, is to write protect the indicated page of the protected container memory. 4 . The processor of claim 1 , wherein the decode unit is to decode the instruction which is to indicate the page of the protected container memory, which is to be in a processor reserved memory, and the instruction is to indicate the storage location which is to be outside of the processor reserved memory. 5 . The processor of claim 1 , wherein the execution unit, in response to the instruction, is to ensure that there are no writeable permissions for the page by ensuring that all translations for the page of the protected container memory have been flushed from all translation lookaside buffers of the processor. 6 . The processor of claim 1 , wherein the execution unit, in response to the instruction, is to store a version of the page having the write protected state in the protected container memory. 7 . The processor of claim 1 , wherein the execution unit, in response to the instruction, is to determine that a migration capable key structure, which is to have one or more migration capable cryptographic keys, has control over the page of the protected container memory prior to the encrypted copy of the page being stored to the indicated storage location. 8 . The processor of claim 1 , wherein the decode unit is to decode the instruction which is to indicate a page metadata structure, and wherein the execution unit, in response to the instruction, is to store metadata corresponding to the indicated page in the page metadata structure, wherein the metadata is to include a plurality of a page type, a modification status, a read permission status, a write permission status, and an execution permission status, all corresponding to the indicated page, in the page metadata structure. 9 . The processor of claim 1 , wherein the decode unit is to decode the instruction which is to indicate the page of the protected container memory which is to be an enclave page in an enclave page cache. 10 . The processor of claim 1 , wherein the decode unit is to decode the instruction which is to have an implicit general-purpose register that is to have an indication of the page of the protected container memory. 11 . The processor of claim 1 , wherein the decode unit is to decode the instruction which is to be a privileged-level instruction. 12 . The processor of claim 1 , further comprising: a branch prediction unit to predict branches; an instruction prefetch unit coupled with the branch prediction unit, the instruction prefetch unit to prefetch instructions including the instruction; a level 1 (L1) instruction cache coupled with the instruction prefetch unit, the L1 instruction cache to store instructions; an L1 data cache to store data; a level 2 (L2) cache to store data and instructions; an instruction fetch unit coupled with the decode unit, the L1 instruction cache, and the L2 cache, to fetch the instruction from one of the L1 instruction cache and the L2 cache, and to provide the instruction to the decode unit; a register rename unit to rename registers; a scheduler to schedule one or more operations that have been decoded from the instruction for execution; and a commit unit to commit execution results of the instruction. 13 . A method of performing from one to three machine instructions in a processor to perform operations comprising: write protecting a page of a protected container memory; ensuring that no writable permissions for the page of the protected container memory are cached in the processor; encrypting a copy of the page of the protected container memory; storing the encrypted copy of the page of the protected container memory to a storage location that is outside of the protected container memory, after said ensuring that there are no writable references to the write protected page of the protected container memory; and leaving the write protected page of the protected container memory in a valid and readable state after said storing the encrypted copy of the page of the protected container memory to the storage location that is outside of the protected container memory. 14 . The method of claim 13 , further comprising reading the write protected page after said storing the encrypted copy of the page to the storage location. 15 . The method of claim 13 , wherein said write protecting the page comprises configuring a write protection indication in a protected container page metadata structure to indicate that the page is write protected, wherein the protected container page metadata structure stores security metadata for the write protected page. 16 . The method of claim 15 , wherein said configuring the write protection indication in the protected container page metadata structure comprises setting a write protect bit in an enclave page cache map. 17 . The method of claim 13 , further comprising: detecting an attempted write to the write protected page of the protected container memory; write unprotecting the page of the protected container memory; and invalidating the encrypted copy of the page stored in the storage location that is outside of the protected container memory. 18 . The method of claim 13 , wherein said write protecting is performed in response to performing a first of the machine instructions, and wherein said encrypting, said ensuring, said storing, and said leaving are performed in response to performing a second of the machine instructions. 19 . A system to process instructions comprising: an interconnect; a processor coupled with the interconnect, the processor to receive an instruction, the instruction to indicate a page of a protected container memory, and to indicate a storage location outside of the protected container memory, the processor, in response to the instruction, to: ensure that there are no writable references to the page of the protected container memory, while the page of the protected container memory has a write protected state; encrypt a copy of the page of the protected container memory; store the encrypted copy of the page to the indicated storage location outside of the protected container memory, after it has been ens